From 4101ba1397ceee93f0127f26b1a02ce45a2c86c4 Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Apr 18 2013 22:39:04 +0000 Subject: * Thu Apr 18 2013 Paul Wouters - 3.2.15-4 - Enable hardened build - rhbz#850231 - Introduce new systemd-rpm macros in nsd spec file - Added -D option to nsd to allow us to use systemd service Type=simple - Switch from Fork to Simple systemd service - Use /run and not /var/run for pid - The cronjon now uses systemctl reload, which also triggers notifies (should speed up notifications to secondaries) --- diff --git a/nsd.cron b/nsd.cron index faecb2a..b4f5778 100644 --- a/nsd.cron +++ b/nsd.cron @@ -37,8 +37,7 @@ case "$NSD_AUTOREBUILD" in if [ $zonefile -nt $database ] then echo "Zone $zonefile update requires database rebuild" - $NSDC_PROG rebuild > /dev/null 2>&1 - $NSDC_PROG reload > /dev/null 2>&1 + systemctl reload nsd.service > /dev/null 2>&1 break fi done diff --git a/nsd.service b/nsd.service index 54f0952..03af2c6 100644 --- a/nsd.service +++ b/nsd.service @@ -3,13 +3,15 @@ Description=NSD DNS Server After=syslog.target network.target [Service] -Type=forking +Type=simple PIDFile=/var/run/nsd/nsd.pid EnvironmentFile=-/etc/sysconfig/nsd ExecStartPre=/usr/sbin/nsdc -c /etc/nsd/nsd.conf rebuild -ExecStart=/usr/sbin/nsd -c /etc/nsd/nsd.conf $OTHER_NSD_OPTS +ExecStart=/usr/sbin/nsd -D -c /etc/nsd/nsd.conf $OTHER_NSD_OPTS ExecReload=/usr/sbin/nsdc -c /etc/nsd/nsd.conf rebuild ExecReload=/usr/sbin/nsdc -c /etc/nsd/nsd.conf reload +# notify blocks on misconfigurations - but does show it very loudly +ExecReload=/usr/sbin/nsdc -c /etc/nsd/nsd.conf notify ExecStop=/usr/sbin/nsdc -c /etc/nsd/nsd.conf patch ExecStop=/usr/sbin/nsdc -c /etc/nsd/nsd.conf stop ExecStopPost=/bin/rm -f /var/lib/nsd/xfrd.state diff --git a/nsd.spec b/nsd.spec index 641a4e3..c1c90dd 100644 --- a/nsd.spec +++ b/nsd.spec @@ -1,7 +1,9 @@ +%global _hardened_build 1 + Summary: Fast and lean authoritative DNS Name Server Name: nsd Version: 3.2.15 -Release: 3%{?dist} +Release: 4%{?dist} License: BSD Url: http://www.nlnetlabs.nl/%{name}/ Source: http://www.nlnetlabs.nl/downloads/%{name}/%{name}-%{version}.tar.gz @@ -10,6 +12,7 @@ Source2: nsd.cron Source3: nsd.sysconfig Source4: tmpfiles-nsd.conf Patch0: nsd-install.patch +Patch1: nsd-3.2.15-nofork.patch Group: System Environment/Daemons BuildRequires: flex, openssl-devel BuildRequires: systemd-units @@ -28,10 +31,13 @@ consult the REQUIREMENTS document which is a part of this distribution %prep %setup -q %patch0 -p1 -b .install +%patch1 -p1 -b .nofork %build +export CFLAGS="$RPM_OPT_FLAGS -fPIE -Wformat-nonliteral -Wformat-security" +export LDFLAGS="-pie -Wl,-z,relro,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld" %configure --enable-bind8-stats --enable-checking --enable-nsec3 \ - --with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid --with-ssl \ + --with-pidfile=/run/%{name}/%{name}.pid --with-ssl \ --with-user=nsd --with-difffile=%{_localstatedir}/lib/%{name}/ixfr.db \ --with-xfrdfile=%{_localstatedir}/lib/%{name}/ixfr.state \ --with-dbfile=%{_localstatedir}/lib/%{name}/nsd.db \ @@ -44,18 +50,16 @@ iconv -f iso8859-1 -t utf-8 doc/CREDITS > doc/CREDITS.utf8 mv -f doc/RELNOTES.utf8 doc/RELNOTES mv -f doc/CREDITS.utf8 doc/CREDITS - %install %{__make} DESTDIR=%{buildroot} install mkdir -p %{buildroot}%{_unitdir} install -d -m 0755 %{buildroot}%{_sysconfdir}/cron.hourly install -c -m 0755 %{SOURCE2} %{buildroot}%{_sysconfdir}/cron.hourly/nsd install -m 0755 %{SOURCE1} %{buildroot}/%{_unitdir}/nsd.service -install -d -m 0755 %{buildroot}%{_localstatedir}/run/%{name} install -d -m 0700 %{buildroot}%{_localstatedir}/lib/%{name} install -d -m 0755 %{buildroot}%{_sysconfdir}/sysconfig install -m 0755 %{SOURCE3} %{buildroot}/%{_sysconfdir}/sysconfig/%{name} -mkdir -p %{buildroot}%{_sysconfdir}/tmpfiles.d/ +mkdir -p %{buildroot}%{_sysconfdir}/tmpfiles.d/ %{buildroot}/run/%{name} install -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/tmpfiles.d/nsd.conf # change .sample to normal config files @@ -73,8 +77,7 @@ echo "# include: \"/some/path/file\"" >> %{buildroot}%{_sysconfdir}/nsd/nsd.conf %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/tmpfiles.d/nsd.conf %attr(0644,root,root) %{_unitdir}/%{name}.service %{_sysconfdir}/cron.hourly/nsd -# owner nsd is to work around 'nsdc restart' pid bug (no permission to unlink root file) -%ghost %attr(0755,nsd,root) %dir %{_localstatedir}/run/%{name} +%attr(0755,nsd,nsd) %dir /run/%{name} %attr(0755,%{name},%{name}) %dir %{_localstatedir}/lib/%{name} %{_sbindir}/* %{_mandir}/*/* @@ -87,24 +90,13 @@ useradd -r -g nsd -d /etc/nsd -s /sbin/nologin \ exit 0 %post -if [ $1 -eq 1 ] ; then - # Initial installation - /bin/systemctl daemon-reload >/dev/null 2>&1 || : -fi +%systemd_post nsd.service %preun -if [ $1 -eq 0 ] ; then - # Package removal, not upgrade - /bin/systemctl --no-reload disable nsd.service > /dev/null 2>&1 || : - /bin/systemctl stop nsd.service > /dev/null 2>&1 || : -fi +%systemd_preun nsd.service %postun -/bin/systemctl daemon-reload >/dev/null 2>&1 || : -if [ $1 -ge 1 ] ; then - # Package upgrade, not uninstall - /bin/systemctl try-restart nsd.service >/dev/null 2>&1 || : -fi +%systemd_postun_with_restart nsd.service %triggerun -- nsd < 3.2.8-6 # Save the current service runlevel info @@ -117,11 +109,21 @@ fi /bin/systemctl try-restart nsd.service >/dev/null 2>&1 || : %changelog +* Thu Apr 18 2013 Paul Wouters - 3.2.15-4 +- Enable hardened build +- rhbz#850231 - Introduce new systemd-rpm macros in nsd spec file +- Added -D option to nsd to allow us to use systemd service Type=simple +- Switch from Fork to Simple systemd service +- Use /run and not /var/run for pid +- The cronjon now uses systemctl reload, which also triggers notifies + (should speed up notifications to secondaries) + * Mon Mar 25 2013 Peter Robinson 3.2.15-3 - Bump so rawhide/F19 has bigger NVR that older releases * Mon Feb 04 2013 Paul Wouters - 3.2.15-1 - Updates to 3.2.15 which contains rate limit code + (fixes rhbz#842036 - nsd fails to start in fips mode) * Fri Nov 23 2012 Paul Wouters - 3.2.14-2 - Updated to 3.2.14 with minor bugfixes and TCP writev support